Re: scrollkeeper loading external (online) DTD
Thats absolutely ridiculous. I would file one at once, that should definitely not go unchecked, at least. I can appreciate the motivation, but for my own sanity I'm too paranoid to a) accept strange unknown files/connections or b) send out requests for such data. Especially considering since it all happens without my knowledge, which thanks, now I know. Who knows if the file is the original? The checksum is verified, but that doesn't mean much all things considered, where did the checksum come from? On 08 Jan 2003 22:54:12 +0100 Sebastien Chaumat <[EMAIL PROTECTED]> wrote: > Hi, > > This a real example : > > The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml > > In this file the DTD is refered by an absolute external link : > > "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"; > > Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get > the docbookx.dtd. > > I can trust signed debian packages but I can't trust > www.oasis-open.org. > > More than 18 files in /usr/share/gnome/help/ induce this download. > > I'am about to make bug report against scrollkeeper (for acting blindly, > and dowloading the same file more than once) and against packages that > provides the xml files (for using external DTD instead of provinding > it)... > > Your opinion? > > Cheers, > > SEb > > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > pgpua9VQx6pEu.pgp Description: PGP signature
Re: scrollkeeper loading external (online) DTD
Thats absolutely ridiculous. I would file one at once, that should definitely not go unchecked, at least. I can appreciate the motivation, but for my own sanity I'm too paranoid to a) accept strange unknown files/connections or b) send out requests for such data. Especially considering since it all happens without my knowledge, which thanks, now I know. Who knows if the file is the original? The checksum is verified, but that doesn't mean much all things considered, where did the checksum come from? On 08 Jan 2003 22:54:12 +0100 Sebastien Chaumat <[EMAIL PROTECTED]> wrote: > Hi, > > This a real example : > > The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml > > In this file the DTD is refered by an absolute external link : > > "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"; > > Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get > the docbookx.dtd. > > I can trust signed debian packages but I can't trust > www.oasis-open.org. > > More than 18 files in /usr/share/gnome/help/ induce this download. > > I'am about to make bug report against scrollkeeper (for acting blindly, > and dowloading the same file more than once) and against packages that > provides the xml files (for using external DTD instead of provinding > it)... > > Your opinion? > > Cheers, > > SEb > > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > msg08411/pgp0.pgp Description: PGP signature
Re: Can this be considered a DoS-attack?
No, and it seems they've fixed their problem on their end. I think it hurt them a lot worse (on bandwidth) than it hurt you :) On Wed, 8 Jan 2003 19:21:45 +0100 (CET) Cristian Ionescu-Idbohrn <[EMAIL PROTECTED]> wrote: > http://www.raycomm.com/techwhirl/magazine/technical/linux.html pgp9lyvIGfomj.pgp Description: PGP signature
Re: Can this be considered a DoS-attack?
No, and it seems they've fixed their problem on their end. I think it hurt them a lot worse (on bandwidth) than it hurt you :) On Wed, 8 Jan 2003 19:21:45 +0100 (CET) Cristian Ionescu-Idbohrn <[EMAIL PROTECTED]> wrote: > http://www.raycomm.com/techwhirl/magazine/technical/linux.html msg08406/pgp0.pgp Description: PGP signature
Re: Strange access.log entries
I don't know if it's the catch on your problem, but it'll be interesting reading noless; http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0037.html On Wed, 2002-10-16 at 12:19, Simon Langhof wrote: > Hi > I noticed some (40 until now) strange entries in my Apache access.log. They > started today at 2:43 GMT and all look like this: > - - [16/Oct/2002:07:42:56 +0200] "\xe3@" 501 - "-" "-" > > Only the request string changes, there are: > "\xe3@" 25 of this > "\xe3=" 9 of this > "\xe3G" 4 of this > "\xe3Y" 2 of this > > They come from 9 IPs, where the last character always was the same from each > IP. > > Is that a new worm, or an old one I missed? > > Simon Langhof > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > signature.asc Description: This is a digitally signed message part
Re: Strange access.log entries
I don't know if it's the catch on your problem, but it'll be interesting reading noless; http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0037.html On Wed, 2002-10-16 at 12:19, Simon Langhof wrote: > Hi > I noticed some (40 until now) strange entries in my Apache access.log. They started >today at 2:43 GMT and all look like this: > - - [16/Oct/2002:07:42:56 +0200] "\xe3@" 501 - "-" "-" > > Only the request string changes, there are: > "\xe3@" 25 of this > "\xe3=" 9 of this > "\xe3G" 4 of this > "\xe3Y" 2 of this > > They come from 9 IPs, where the last character always was the same from each IP. > > Is that a new worm, or an old one I missed? > > Simon Langhof > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > signature.asc Description: This is a digitally signed message part
Re: port 16001 and 111
Specifically, port 16001 is ESD (ESound) IIRC.. On Tue, 2002-10-15 at 10:55, Giacomo Mulas wrote: > On Tue, 15 Oct 2002, Jussi Ekholm wrote: > > > So, what would try to connect to my system's port 16001 and 111 from > > within my own system? Should I be concerned? Should I expect the worst? > > port 16001 means that you are running gnome, and is perfectly normal. Port > 111 is the portmapper, which means that there is a client connecting to an > RPC based service on your computer, i.e. NIS, whatever like that. As an > example, there are a few encrypted file systems which make use of NFS > on localhost, like CFS and SFS. Check it out. However, by the looks of it > it does not seem anything dangerous. > > Bye > Giacomo > > -- > _ > > Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> > _ > > OSSERVATORIO ASTRONOMICO DI CAGLIARI > Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) > > Tel.: +39 070 71180 248 Fax : +39 070 71180 222 > _ > > "When the storms are raging around you, stay right where you are" > (Freddy Mercury) > _ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: port 16001 and 111
Specifically, port 16001 is ESD (ESound) IIRC.. On Tue, 2002-10-15 at 10:55, Giacomo Mulas wrote: > On Tue, 15 Oct 2002, Jussi Ekholm wrote: > > > So, what would try to connect to my system's port 16001 and 111 from > > within my own system? Should I be concerned? Should I expect the worst? > > port 16001 means that you are running gnome, and is perfectly normal. Port > 111 is the portmapper, which means that there is a client connecting to an > RPC based service on your computer, i.e. NIS, whatever like that. As an > example, there are a few encrypted file systems which make use of NFS > on localhost, like CFS and SFS. Check it out. However, by the looks of it > it does not seem anything dangerous. > > Bye > Giacomo > > -- > _ > > Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> > _ > > OSSERVATORIO ASTRONOMICO DI CAGLIARI > Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) > > Tel.: +39 070 71180 248 Fax : +39 070 71180 222 > _ > > "When the storms are raging around you, stay right where you are" > (Freddy Mercury) > _ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: base-passwd bug?
I had the same problem. This kind of initiative by the package shouldn't be so passive. It should be corrected, or one might find themselves frustrated. On Thu, 2002-10-10 at 23:51, Olaf Meeuwissen wrote: > Jussi Ekholm <[EMAIL PROTECTED]> writes: > > > J.H.M. Dassen (Ray) <[EMAIL PROTECTED]> wrote: > > > On Thu, Oct 10, 2002 at 21:31:13 -, Kisteleki Róbert wrote: > > >> Yesterday I upgraded two severs with apt, which in turn upgraded > > >> the base-passwd package. The root password seems to be "upgraded" > > >> also, since one of the two machines doesn't allow su-ing to root > > >> any more; regular users can log in normally. > > > > > > Try logging in on a tty/console. A new PAM has been introduced in > > > unstable recently as well; it may well still have a few rough edges > > > which could affect 'su'. > > > > I'm running roughly 90% testing and 10% unstable system, and the > > base-passwd which got upgraded yesterday, works just fine here. It > > added one new group, though, which I'm concerned of because I don't > > know what this group is. It's called 'sasl' -- what uses it? > > >From /usr/share/doc/base-passwd/changelog.gz > > base-passwd (3.4.2) unstable; urgency=low > > * Add new sasl group used to regulate access to the sasl secrets > * Drop prerm > * No longer make /usr/doc symlinks > > -- Wichert Akkerman <[EMAIL PROTECTED]> Fri, 27 Sep 2002 19:35:30 +0200 > > Install apt-listchanges and you can get to see these kind of things > before you upgrade and/or mailed to an address of your choice. > > -- > Olaf MeeuwissenEPSON KOWA Corporation, ECS > GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 > LPIC-2 -- I hack, therefore I am -- BOFH > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: base-passwd bug?
I had the same problem. This kind of initiative by the package shouldn't be so passive. It should be corrected, or one might find themselves frustrated. On Thu, 2002-10-10 at 23:51, Olaf Meeuwissen wrote: > Jussi Ekholm <[EMAIL PROTECTED]> writes: > > > J.H.M. Dassen (Ray) <[EMAIL PROTECTED]> wrote: > > > On Thu, Oct 10, 2002 at 21:31:13 -, Kisteleki Róbert wrote: > > >> Yesterday I upgraded two severs with apt, which in turn upgraded > > >> the base-passwd package. The root password seems to be "upgraded" > > >> also, since one of the two machines doesn't allow su-ing to root > > >> any more; regular users can log in normally. > > > > > > Try logging in on a tty/console. A new PAM has been introduced in > > > unstable recently as well; it may well still have a few rough edges > > > which could affect 'su'. > > > > I'm running roughly 90% testing and 10% unstable system, and the > > base-passwd which got upgraded yesterday, works just fine here. It > > added one new group, though, which I'm concerned of because I don't > > know what this group is. It's called 'sasl' -- what uses it? > > >From /usr/share/doc/base-passwd/changelog.gz > > base-passwd (3.4.2) unstable; urgency=low > > * Add new sasl group used to regulate access to the sasl secrets > * Drop prerm > * No longer make /usr/doc symlinks > > -- Wichert Akkerman <[EMAIL PROTECTED]> Fri, 27 Sep 2002 19:35:30 +0200 > > Install apt-listchanges and you can get to see these kind of things > before you upgrade and/or mailed to an address of your choice. > > -- > Olaf MeeuwissenEPSON KOWA Corporation, ECS > GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 > LPIC-2 -- I hack, therefore I am -- BOFH > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
